Christian Toon has held positions of management for over 20 years. Currently, he serves as the CISO of Pinsent Masons, one of the largest law firms in the UK. At Pinsent Masons, Christian Toon is responsible for developing security policies in accordance with international standards, and to keep the firm safe from cyber-attacks.
In addition, Christian Toon also serves as a freelance Board Member for the National Cyber Resilience Leaders Board – a division of the Scottish Government, where he provides advice, support, and challenges to better protect the Scottish people and businesses.
In this episode, Christian Toon talks:
- Are Law Firms Spending Enough on Cyber Security?
- The Need for Cyber Security Leadership in Law Firms
- Lack of Funding for Cyber Security
- Client Confidentiality and Risk of Data Breach
- Hybrid Working and IT Vendors
- How Can Smaller Firms Fill the CISO Gap?
- Global Cyber Doomsday Event
- Role of a CISO
Show notes
- Intro (00:00)
Chief Information Security Officer at Pinsent Masons, Christian Toon, joins the show to discuss cyber security in the legal sector and the issues that surround it.
- Are Law Firms Spending Enough on Cyber Security? (3:17)
The discussion opens on security and addressing a crucial question: are law firms spending enough money on cyber security? Christian Toon answers the question by exploring the state of the industry, what firms are doing, how they are doing it, and what else they should be doing.
“It’s a very subjective question to say whether the firm is spending enough, or an organisation is investing enough in security. It comes down to their risk. As an industry, however,[…] I think there’s still a hell of a long way to go. And I say that because when I look across our peer group, we’re still seeing and the conversations around not enough resource, not enough investment, not taking it seriously enough and I just think as a profession, we should be really on the ball with this.”
- The Need for Cyber Security Leadership in Law Firms (6:45)
Christian Toon examines the CISO role and its significance in this part of the programme. He recognises that not all firms may have a CISO, but it is crucial to have someone who will examine cyber threats, comprehend them, and take steps to solve the problem. Christian stresses the importance of elevating security to the board level and having someone who can be responsible for cyber problems – be it the Head of IT or the CIO.
“The security conversation needs to be at the board and they need to have a representative to help champion security and translate it to what it means to the business. [Security is] not the only thing that a firm needs to worry about. There are a number of other areas of focus, things that make the firm tick. But equally, security, as we are seeing now more than ever, especially from our clients, is becoming one of the single biggest things they want to talk to us about. So, why would you not have that elevated to the right level within your organisation?”
- Lack of Funding for Cyber Security (10:36)
With digitisation being elevated to such high levels, funding for cyber security is needed more than ever for law firms. If a firm is not spending enough on their cyber security, their data is at risk. The firm may believe that if an issue emerges, it can be handled, but at the end of the day, prevention is far better than cure.
“There are two types of organisations […] Those that have been breached and those that don’t know it. And I think that mindset shift is to […] still operate under ignorance or bias; “that hasn’t happened yet, so, therefore, we are, kind of, betting on a risk that may or may not ever materialise.” [This is] because some of the investment required to deal with this properly is sizeable.”
- Client Confidentiality and Risk of Data Breach (12:15)
Protection of client data is vital to firms, and it is unethical to not secure that data which firms have in their possession. In example, Christian Toon talks about the rising attacks on Barristers’ Chambers, and how it can affect them negatively. Lawyers have access to important and confidential documents, and as such, it is their duty to protect that data no matter what.
“We’re very fortunate that a large percentage of our ‘end users,’ if you will, are regulated professionals in a profession that stands above many across the globe and a big part of that is around confidentiality. […] The challenge has been around the transfer of that approach into digital ecosystems that we now rely on to run organisations and that’s the nuance. So, extra security to protect particular things, say file transfer, is right to protect that confidentiality, but actually is probably seen then by the end user as extra process.
- Hybrid Working and IT Vendors (17:58)
Christian Toon highlights the enormous size of the IT vendor market and addresses some of the challenges that come along with this. For example, certain businesses may take advantage of smaller, less knowledgeable law firms in order to offer them subpar solutions. He advises firms to explore the root of their problem before investing in flashy, trendy technology, as it may create more problems than it solves.
“The way I see it is that you’ve got a lot of technology and resources and skills out there in the market to take advantage of but equally, if you don’t know what you are buying or don’t know what actually the heart of your problem is, you might find yourself tied into a three-year agreement with some technology that’s perhaps compounding the issue.”
- How Can Smaller Firms Fill the CISO Gap? (26:37)
Christian shares advice for leaders in smaller firms looking for sound advice on cyber security. He highlights a network of CISOs and other technology professionals that have come together to help each other and are willing to aid and advise smaller businesses on how to better defend themselves from cyber-attacks.
“There is a fantastic group of security leaders, CISOs, heads of security engineers from most of the legal community and we’ve got informal channels for chat, communication, and collaboration. We’ve all got the same problem and it’s fantastic that we have continued to foster the relationships and the view that a rising tide raises all ships.
- Global Cyber Doomsday Event (29:40)
Towards the end of the conversation, we explore rumours surrounding increased cyber-attacks and the idea of a large-scale disruption. Listen to find out Christian’s views on this subject and how well he believes law firms are for something of this nature.
“I think we may see some big events happen. […] In my mind’s eye, I feel that we have phishing, we have ransomware, we have business email compromise, or invest and invoice fraud, and all the different permutations of cyber headaches. I do think we are perhaps due a big cyber event, but not what we’ve seen before. So, something game changingly different.”
- Role of a CISO (36:31)
Can a CISO magically solve all cyber security issues of a firm? Certainly not. In this section of the podcast, Christian explores his role as a CISO, what it means, what he can do, and of course, what he cannot do.
“Organisations sometimes underplayed the importance of risk management. Maybe focus, perhaps, towards conduct risk as a practice and not necessarily operational risk. But really understanding the cyber security risks in the organisation, you can, not necessarily absolve yourself of that accountability, but you can understand the decisions of what’s the security risks you have, what does it mean, what do you need to do for that, and there are things I can control and there are things I can’t.”
Shaped for Law is a CTS-produced podcast series that takes you on a journey into the minds of legal tech leaders and innovators. Follow the link below for more episodes with CTS, as we explores the state – and the future – of legal technology.
